[SOLVED] best setup scenario

[bbarrons]

I am ready to setup the server to the outside. I can either supply the server with an outside static ip or port it thru the router, or put the server in the dmz. any suggestions or pros and cons to any of these solutions?
thanks
Bill B

[phoenix]

The recommended set-up is to run a mail server in the DMZ to isolate it from your LAN just in case it gets compromised, however, I run my server inside the LAN with ports forwarded through the firewall to the server. IMO, it would depend which ports you have open to the outside world, for me it's just 25, 587, 443 & 993. Any need for secure access to the server is done via openvpn through the firewall.

[bbarrons]

What is the advantage of running in the dmz over forwarding ports? I was leaning towards port forwarding but I havent setup a mail server in 4 years and back then I ran an exchange server. I am now trying to familiarize myself with everything again. Thanks for your help once again. Maybe I will get a few other replies and more recommendations....
Bill

[SPF]

Generally, having a device on a DMZ rather than on the internal network will limit potential unauthorized access should someone gain control over it.

The theory is that any potential mischief an intruder can cause will be limited to other hosts on the DMZ, and not your critical devices.

In practice, this depends on alot of things, like what extent of access you allow from the DMZ to the LAN, and what types of firewalls and other protection you've employed.

Rule of thumb is to only grant the access in or out of any network that is absolutely necessary. Give people/applications only the access to the ports/protocols they need, and deny everything else. This isn't always easy though.

[bbarrons]

thanks for the reply spf. all advice is greatly appreciated.
Bill

[webman]

Our Zimbra server is connected directly to the LAN, with only port 25 allowed through the 2 firewalls we have. External HTTP access is provided by an Nginx reverse proxy.

During the day we have between 100-150 simultaneous web client sessions. Beause of this it makes sense to leave Zimbra on the LAN and not put unnecessary demand on the default router to get to the DMZ - this IPCop box already does routing, web filtering etc for all 300 workstations.

[bbarrons]

your setup is what I have been leaning towards. only allowing port 25 thru the router and leaving zimbra just on the lan. I will have between 25-30 users daily connecting to zimbra with web interface. How does your server handle that many ? any slowdowns? Our users right now use outlook, outlook express, and thunderbird. I will want them all using web to take advantage of the calander and IM features. presently they use resources for Im and for calander seperatly. My hope is to free up those resources on the pc so that they can use them to get their work done. They will start the day opening up outlook express, an IM program, a calander program and have net nanny running in the background. I hope to take care of most of that with zimbra on one server and squid-dansgaurdian on another..... just some of my thoughts..... see anything wrong with that scenario?
thanks
Bill B

[webman]

The server is a Dell PowerEdge 2950 - dual quad-core Xeon (2.2GHz each), 8GB RAM, 2x 73GB SAS disks in RAID1 and Gigabit ethernet. Operating system is Ubuntu 6.06.2 LTS 64bit.

Under normal use there's usually 2GB RAM free (pesky Java!), and as far as I've noticed (we're only into the third week of using Zimbra) the load average has never gone above 1. Swap isn't used either.

I think your plan of two separate servers is a good idea and is in line with the official Zimbra recommendations of ZCS having a server to itself. What spec servers are you planning for your ZCS and Squid/DG setup?

[bbarrons]

I picked up a rackable server. dual xeon 2.8 with 2 gig ram. I have 4 scsi drives 37gb ea. I used ubuntu 6.06 and setup 1+0 raid so I have about 68gb to work with for storage. I upgrade ubuntu to 7.10 and then to hardy (8.04) and saw no change in zimbra. The proxy server is a single xeon processor 2.8 with 1gb ram and a 60gb drive.
I had felt that I needed to upgrade ram on the zimbra server but I havent put it into production yet so I wasnt sure. I felt that I needed to be around 4gig to run smooth.
Bill

[webman]

Sounds good. I'm not sure about the official compatability of any other version of Ubuntu than 6.06 though; but if it's working - that's good What do you have in place for backup? Depending on disk usage it could be a problem if you create a localy copy of the Zimbra directory during backup.

This will eventually be a problem for us as time goes on; but will hopefully have some additional local disks and/or a SAN within the next 6 months.

Yes, I would definitely throw another 2GB of RAM into the Zimbra server to take it up to 4GB - it should perform much better. (Many threads on the forum that can confirm bumping up the RAM makes it quicker)